From martijn at djigzo.com Wed Sep 1 10:50:46 2010 From: martijn at djigzo.com (Martijn Brinkers) Date: Wed, 01 Sep 2010 10:50:46 +0200 Subject: [Djigzo users] !!!WARNING!!! : Don't upgrade Java if you are using Ubuntu 8.04!! In-Reply-To: <4C6CE429.2030008@djigzo.com> References: <20100818121440.32010nt01ieelktw@webmail.kwsoft.de> <4C6C2C41.6040206@djigzo.com> <4C6C4DAD.1080102@djigzo.com> <4C6CE429.2030008@djigzo.com> Message-ID: <4C7E13E6.8060908@djigzo.com> Hi, Ubuntu has fixed the bug and have updated the Java package (OpenJDK). OpenJDK can now be safely updated. Kind regards, Martijn Brinkers Martijn Brinkers wrote: > Another update for those who are interested in the technicalities of the > Ubuntu bug. > > What follows is rather technical so you can skip it if you are not > interested. The bottom line is that it's best to wait before doing a > dist-upgrade until Ubuntu has fixed the OpenJDK package. > > Technical details: > > It turns out that they have back-ported OpenJDK from newer Ubuntu > release to Ubuntu 8.04. The original OpenJDK op Ubuntu 8.04 however had > a different set of dependencies then the updated version. This resulted > in the removal of the ant package which in turn results in the removal > of Tomcat and Djigzo (and all other packages which depend on the ant > package). > > Because the OpenJDK update as far as I know only solves a problem with > Applets there is no need for now to update OpenJDK if you are only > running Djigzo. It's therefore better to wait until Ubuntu has fixed the > bug. > > If you really need to upgrade I have uploaded a work-around package. The > only thing the package does is to tell Ubuntu that a Java virtual > machine is available (a so called virtual package). > > You can download the package from: > > http://www.djigzo.com/downloads/fake-java-virtual-machine_1.0.0_all.deb > > You should install the package before doing the dist-upgrade. > > > Again: only do this if you really need to update. It's better to wait > for an updated Ubuntu package. > > Kind regards, > > Martijn > > > Martijn Brinkers wrote: >> Hi, >> >> An update: >> >> It's a bug in the updated Ubuntu OpenJDK package. I have contacted the >> package maintainer and explained what goes wrong. Hopefully an updated >> OpenJDK package will soon be available. I will investigate a possible >> workaround and provide more information tomorrow. >> >> Kind regards, >> >> Martijn >> >> Martijn Brinkers wrote: >>> Hi, >>> >>> It seems that there is a bug in Ubuntu 8.04. Ubuntu now seems to have >>> added the missing package ca-certificates-java but this results in the >>> removal of ANT and therefore Djigzo will be uninstalled because Djigzo >>> depends on ANT. >>> >>> I will contact Ubuntu to report the problem and see whether I can find a >>> temporary fix until they fix it. >>> >>> Again: DON'T dist-upgrade when using 8.04 (the Virtual Appliance is >>> using 8.04)! >>> >>> >>> Martijn Brinkers >>> >>>> Hello >>>> >>>> we use Ubuntu 8.04 LTS with Djigzo and openjdk as Java VM. With the >>>> recent updates we got the following problems: >>>> - The openjdk updates require the package "ca-certificates-java" which >>>> is not available in the online repositories for Ubuntu 8.04 LTS >>>> - If the package "ca-certificates-java" is installed "by hand" the >>>> following "apt-get dist-upgrade" try to remove ant,ant-optional and >>>> djigzo??? >>>> >>>> While this is for sure a problem of the openjdk package it would be >>>> nice to hear if someone is using Ubuntu 8.04 and is aware of some >>>> workaround for this beside not using updates. >>>> >>>> Many Thanks >>>> >>>> Andreas >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users at lists.djigzo.com >>>> http://lists.djigzo.com/lists/listinfo/users >>>> >>> t >>> >> > > -- Djigzo open source email encryption From lst_hoe02 at kwsoft.de Wed Sep 1 12:27:37 2010 From: lst_hoe02 at kwsoft.de (lst_hoe02 at kwsoft.de) Date: Wed, 01 Sep 2010 12:27:37 +0200 Subject: [Djigzo users] !!!WARNING!!! : Don't upgrade Java if you are using Ubuntu 8.04!! In-Reply-To: <4C7E13E6.8060908@djigzo.com> References: <20100818121440.32010nt01ieelktw@webmail.kwsoft.de> <4C6C2C41.6040206@djigzo.com> <4C6C4DAD.1080102@djigzo.com> <4C6CE429.2030008@djigzo.com> <4C7E13E6.8060908@djigzo.com> Message-ID: <20100901122737.40965qjocz49xa4g@webmail.kwsoft.de> Zitat von Martijn Brinkers : > Hi, > > Ubuntu has fixed the bug and have updated the Java package (OpenJDK). > OpenJDK can now be safely updated. > > Kind regards, > > Martijn Brinkers Indeed, many Thanks. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6046 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.djigzo.com/pipermail/users/attachments/20100901/1f7962ff/attachment.bin From lst_hoe02 at kwsoft.de Thu Sep 16 16:18:21 2010 From: lst_hoe02 at kwsoft.de (lst_hoe02 at kwsoft.de) Date: Thu, 16 Sep 2010 16:18:21 +0200 Subject: [Djigzo users] Automatic certificate selection Message-ID: <20100916161821.12322pc8h5j9ch8g@webmail.kwsoft.de> Hello Our user certificates reach their first year this autumn and we prepare for renewal of the certificates, which means we have old and new certificates for some transit time in our Djigzo database. This should be no problem for decrypting keys as all matching for a give address will be tried i guess. For signing the documentation says "if there are multiple certificates suitable for signing, the first certificate found will be selected". Is it possible to alter this to something like the certificate with the longest validity will be selected? I guess this would better fit most cases. Regards Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6046 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.djigzo.com/pipermail/users/attachments/20100916/ba5ac628/attachment.bin From martijn at djigzo.com Fri Sep 17 09:01:11 2010 From: martijn at djigzo.com (Martijn Brinkers) Date: Fri, 17 Sep 2010 09:01:11 +0200 Subject: [Djigzo users] Automatic certificate selection In-Reply-To: <20100916161821.12322pc8h5j9ch8g@webmail.kwsoft.de> References: <20100916161821.12322pc8h5j9ch8g@webmail.kwsoft.de> Message-ID: <1284706871.7031.42.camel@XPS> Hi Andreas, > > new certificates for some transit time in our Djigzo database. This > > should be no problem for decrypting keys as all matching for a give > > address will be tried i guess. Yes that should be no problem. The gateway will search for any available private key which can be used to decrypt the message with. > > address will be tried i guess. For signing the documentation says "if > > there are multiple certificates suitable for signing, the first > > certificate found will be selected". Is it possible to alter this to > > something like the certificate with the longest validity will be > > selected? I guess this would better fit most cases. The way it currently works is that once a signing key has been selected, it will be used until the signing key (to be precise, the certificate associated with the private key) expires or, is no longer valid, or when a new signing key is explicitly selected. Selecting a signing key for every new email might not always be the best choice because it won't allow you to explicitly select a different one than the selected one. Suppose you have a certificate which you must use for signing but have another one which should be used for decryption, and the encryption key's validity exceeds the validity of the signing key. In that case you want to make sure the explicitly selected signing key will always be used (at least until it expires). > > selected? I guess this would better fit most cases. You might be right. I can add an option so you can choose which private key select procedure you want to use. For example the following options: NEVER_SELECT SELECT_FIRST_TIME SELECT_NEWEST SELECT_LONGEST_VALID Is it possible to add a JIRA entry for your request? https://jira.djigzo.com/ Kind regards, Martijn On Thu, 2010-09-16 at 16:18 +0200, lst_hoe02 at kwsoft.de wrote: > _______________________________________________ > Users mailing list > Users at lists.djigzo.com > http://lists.djigzo.com/lists/listinfo/users > email message attachment (attached message.eml) > > -------- Forwarded Message -------- > > From: lst_hoe02 at kwsoft.de > > To: users at lists.djigzo.com > > Subject: [Djigzo users] Automatic certificate selection > > Date: Thu, 16 Sep 2010 16:18:21 +0200 > > > > Hello > > > > Our user certificates reach their first year this autumn and we > > prepare for renewal of the certificates, which means we have old and > > new certificates for some transit time in our Djigzo database. This > > should be no problem for decrypting keys as all matching for a give > > address will be tried i guess. For signing the documentation says "if > > there are multiple certificates suitable for signing, the first > > certificate found will be selected". Is it possible to alter this to > > something like the certificate with the longest validity will be > > selected? I guess this would better fit most cases. > > > > Regards > > > > Andreas > > > > From lst_hoe02 at kwsoft.de Fri Sep 17 10:22:53 2010 From: lst_hoe02 at kwsoft.de (lst_hoe02 at kwsoft.de) Date: Fri, 17 Sep 2010 10:22:53 +0200 Subject: [Djigzo users] Automatic certificate selection In-Reply-To: <1284706871.7031.42.camel@XPS> References: <20100916161821.12322pc8h5j9ch8g@webmail.kwsoft.de> <1284706871.7031.42.camel@XPS> Message-ID: <20100917102253.13096lad29b5u84k@webmail.kwsoft.de> Zitat von Martijn Brinkers : > Hi Andreas, > >> > new certificates for some transit time in our Djigzo database. This >> > should be no problem for decrypting keys as all matching for a give >> > address will be tried i guess. > > Yes that should be no problem. The gateway will search for any > available private key which can be used to decrypt the message with. Fine.. >> > address will be tried i guess. For signing the documentation says "if >> > there are multiple certificates suitable for signing, the first >> > certificate found will be selected". Is it possible to alter this to >> > something like the certificate with the longest validity will be >> > selected? I guess this would better fit most cases. > > The way it currently works is that once a signing key has been > selected, it will be used until the signing key (to be precise, the > certificate associated with the private key) expires or, is no longer > valid, or when a new signing key is explicitly selected. > > Selecting a signing key for every new email might not always be the > best choice because it won't allow you to explicitly select a different > one than the selected one. Suppose you have a certificate which you > must use for signing but have another one which should be used for > decryption, and the encryption key's validity exceeds the validity of > the signing key. In that case you want to make sure the explicitly > selected signing key will always be used (at least until it expires). Splitting the signing key/cert from decryption key/cert seems odd to me because the remote party needs your public key to encrypt and the public key is picked up from digital signed mail in most cases, no? For this scenario with split keys/certs i suspect that manually selecting the signing key would be a better choice? I was not aware that "auto selection" for signing means that it is selected once and then used until it expires. >> > selected? I guess this would better fit most cases. > > You might be right. I can add an option so you can choose which > private key select procedure you want to use. > > For example the following options: > > NEVER_SELECT > SELECT_FIRST_TIME > SELECT_NEWEST > SELECT_LONGEST_VALID I would not invest too much time. The new signing certs are used automatically anyway as expected but only after the old has expired, which means some days/weeks more spreading the old soon autodated cert which is not too much hassle. Instead of another option i would set go like this: choose signing certs automatically set --> check if more than one valid cert/key is available - if a longer valid one is available choose this one manually selected cert/key use until expired - if expired stop signing and log a warning > Is it possible to add a JIRA entry for your request? > > https://jira.djigzo.com/ Never used this before but i will try. Regards Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6046 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.djigzo.com/pipermail/users/attachments/20100917/32943e6c/attachment.bin